Can you offer best practices to avoid SQL (Server) injection?
Some sound advice on the subject can be found at
. The Web site is run by Chip Andrews, the fellow who coined the phrase "SQL injection." Most of the advice follows a repeating battle cry: Sanitize all data coming in to your application (whether from human input, browser user-agent strings or cookies). Validate that when you're expecting a numeric, you receive a numeric. Most of it is simple once you get the hang of it, but it's a pain when you're trying to whip out a quick Web application. The trouble is quick Web apps tend to grow into enterprise mission-critical systems. Things that didn't seem important when you were making a quick little program to track jelly beans (such as data input validation) become monstrous issues when your application controls the worldwide inventory of a Jelly Bean factory. Here are some additional resources to help you prevent SQL injection attacks:
Automate SQL injection testing
Checklist: How to test SQL Server security
Discover and lock down vulnerable SQL Server services
Dig Deeper on SQL Server Security
When encrypting SQL tables that have joins in SQL Server 2000, learn about possible problems that may arise with different data values in those ...
Learn how to set a SQL Server password to an SA login and why you can not set this account for access to separate SQL Server databases.
Get the code to connect SQL Server version 7.0 to Visual Basic 6.0.
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.